How Do I Prevent My Internet-connected Devices From Being Hijacked?

Recent attacks on the internet demonstrate that the so-called "internet of things" lacks basic security considerations.

//

I am concerned about the recent denial of service attacks that have, evidently, been driven by huge numbers of compromised internet-connected devices. I don’t want any of my devices to be part of that attack. All of my internet-connected devices are located behind my router (granted an old Linksys BEFSR81) and password protected. Is everything sufficiently “hidden” from internet attacks?? In any event, are strong passwords enough to prevent rogue access?

It’s definitely a concern. Recent events have made two things excruciatingly clear:

We’re connecting more and more non-traditional devices to the internet.

Security on those devices is, apparently, abysmal.

So how do you protect yourself from being part of the problem? Well, as with so many things, there’s no clear or absolute answer – but I do have a couple of ideas.

The term that’s been flying around of late is “the internet of things”.

It’s nothing special, really. It’s not another network, it’s not something super secret or super complex. In fact, you may already have devices that are part of it.

All “the internet of things” really refers to is non-traditional devices connected to the internet. And by “non-traditional”, I basically mean anything you wouldn’t think of as a computer.

That’s really all it is.

Your PC, laptop, smartphone, and tablet are all things we conceptualize as computers. Even your printers and gaming consoles are easily understood to be computers on the inside. Naturally, your router and other networking devices are also what we’d call “traditional” things connected to the internet.

On the other hand, so-called “smart” TVs, security cameras, light switches, light bulbs, refrigerators, washing machines, and perhaps even toasters1 are being connected to the internet for a variety of purposes. Whether you think it’s the best thing since remotely-controlled sliced bread, or the silliest thing you’ve ever heard, the internet is being used in new and novel ways for all sorts of things we’d never considered before.

That whole “never considered” thing is actually part of the problem.

The (lack of) security of things

That appears to be exactly the kind of thing that appears to be happening in recently distributed denial of service (DDOS) attacks.

Hackers aren’t interested in playing with your lighting. They are interested in using the tiny computer inside your light bulb (or other internet-connected smart device) for their purposes elsewhere on the network.

Computer in your light bulb?

Indeed. The easiest – indeed, the cheapest – way to make a device connect to the internet is through a general purpose interface that is, for all intents and purposes, a computer. It may not run Windows (though it might be running Linux), and it may not have as many functions as your desktop computer, but it’s a computer nonetheless. The protocols used to connect to the internet, as well as interface with the device itself, are complex enough that a fair amount of computing power is required to make it happen.

And as we all know, computing power is dirt cheap these days.

Sadly, security is not. Security requires forethought. What we’re finding is that security is often an afterthought.

At best.

What can you do?

Being behind a router is the first step. The problem is, it’s probably a step you’ve already taken. In fact, it’s probably a step most people have taken, and yet internet-connected devices are being hacked on a regular basis anyway.

The single most important step? Change the default password on every internet-connected device you own. Apparently, a large number of hacks have been simply that: attackers discover the device through some means, and are able to log in to the administration of the device, because the owner never changed the default password.

In this case, it seems just about anything other than the default will cause attackers to move on, looking for a vulnerable device elsewhere. Use a strong password anyway, to future-proof yourself from the day when hackers get more aggressive. It’s very likely, for example, that devices do not have brute force log-in protection, and could allow an attacker to try to log in using every possible password.

What you can’t fix …

There are so many ways these inexpensive internet-connected devices can communicate, there’s a near endless supply of things that could go wrong.

For example, many devices use unencrypted connections to reach out to the internet, since https takes more work. That means it’s possible for hackers to see, and perhaps intercept, traffic to and from the devices behind your router. It’s possible that a single compromised device could expose other devices behind your router. Or it could mean nothing at all, depending on the device.

Unfortunately, aside from paying attention to news reports listing specific brands, devices, and models, there’s no practical way to know if your devices are involved.

Aside from disconnecting it from the internet, it’s almost impossible to know whether or not your refrigerator is helping to take down websites.

What I do

As geeky as I am, I have surprisingly few “internet of things” things. Don’t get me wrong – I have many devices connected to the internet, but they mostly fall into the category of “traditional” devices. Computers, laptops, mobile phones – even Amazon’s Echo – all qualify as more-or-less full-fledged computers.

The one exception is that I do have so-called “smart” TVs. It didn’t take long for me to feel that they weren’t smart enough; in the interest of preserving internet bandwidth – for a long time a scarce commodity here – I left them disconnected. I notice no function or feature loss by using them without connectivity.

While some of the features and functionality of newer devices is appealing, it’s not appealing enough – to me – to make it worthwhile to just buy something because it can connect to the internet. If I were building a home from scratch, I’d probably build more in, but as it is, each device is a case-by-case basis, and the connectivity just doesn’t add that much value to the way we use our devices.

That may change over time, as we learn new ways to make use of that connectivity. Hopefully, in the meantime, we’ll also learn how to make them secure.

What is frustrating

What’s particularly frustrating for internet technologists is that we’ve been here before.

All the lessons we’ve learned over the years from technologies like Bluetooth (originally very insecure), wireless keyboards, and even the Wi-Fi protocols we use every day have been, for the large part, ignored by the manufacturers of these new internet-connected devices. They opted for cheap and fast-to-market over keeping things secure3.

Footnotes & references

1: One concept toaster gets the daily weather forecast from the internet and burns it onto your toast.

2: I was tempted to title this section “You can’t fix stupid”, but that’s not actually fair. Most of the decisions that have lead to this situation aren’t as much about stupidity as they are about time pressure, ignorance, and failing to learn the lessons of the past.

3: It’s actually a complex equation. Consumers don’t care about their refrigerator being secure, as long as it works. It’s a hard sell to convince consumers to pay something extra, or wait a little longer, so their fridge doesn’t also participate in the take-down of some random site on the internet.

Leo Who?

I'm Leo Notenboom and I've been playing with computers since I took a required programming class in 1976. I spent over 18 years as a software engineer at Microsoft, and after "retiring" in 2001 I started Ask Leo! in 2003 as a place to help you find answers and become more confident using this amazing technology at our fingertips. More about Leo.

9 comments on “How Do I Prevent My Internet-connected Devices From Being Hijacked?”

I have changed the password to the router and the wi-fi connection is also password protected. I thought it also made sense to limit the number of DHCP connections to the number of devices I wanted connected to my router. Does that make sense? Does that give even a bit more protection? I figure that even if they can manage to figure out the wi-fi password, they still can’t get on my network because I haven’t made any space available. Make sense? Or am I just fooling myself?

Okay I am not too informed on a lot of stuff you talk about…way beyond me but saying that How do you know or where are default passwords and how does one change them? it?
Do ZigBee chips cause these problems?
thank you

The default password is the original password that comes preset with the device. It is often found on the devices’ labels. As for how to change them, you would have to check with the manual which came with the device or download it from the device manufacturer’s website.

Some of the problems are, especially with older devices :
Some devices may not have any password, and may not have the capacity to have any.
Some devices have hard coded passwords that you can’t change, like they are burned in ROM or PROM.
Many just don’t have the capacity to encrypt their transmissions.
Some will always accept any anonymous request over WI-FI.

Ward, that won’t make IoT devices any more secure. If an unsecured device can reach out to the Internet it can also be seen and hijacked from the Internet regardless of how many layers deep you bury it.

Do you have an opinion about a new device being funded on Kickstarter, called Akita, which purports to protect your home connected IoT items from exploitation? Or is this one of those items that will best be left until it is a proven technology?? The bargain hunter in me wants to get in on the ground floor, but the skeptic in me is cautious….
AKITA — Instant Privacy for Smart Homes. {link removed}

Leave a reply:

Before commenting please:

Read the article.

Comment on the article.

No personal information.

No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.